apparmor denials when using 'maas-import-isos'

Bug #987374 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
maas-provision (Ubuntu)
Fix Released
High
Andres Rodriguez

Bug Description

When running maas-import-isos with the /etc/apparmor.d/usr.bin.cobblerd profile enabled, I observed the following apparmor denials:
Apr 23 09:34:22 maas-precise-server-amd64 kernel: [ 534.632945] type=1400 audit(1335191662.396:22): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/usr/share/python-apt/templates/" pid=21546 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:22 maas-precise-server-amd64 kernel: [ 534.635351] type=1400 audit(1335191662.396:23): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/apt/sources.list" pid=21546 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:22 maas-precise-server-amd64 kernel: [ 534.635949] type=1400 audit(1335191662.396:24): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/apt/sources.list.d/" pid=21546 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:42 maas-precise-server-amd64 kernel: [ 554.961194] type=1400 audit(1335191682.724:25): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/usr/share/python-apt/templates/" pid=21956 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:42 maas-precise-server-amd64 kernel: [ 554.961267] type=1400 audit(1335191682.724:26): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/apt/sources.list" pid=21956 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:42 maas-precise-server-amd64 kernel: [ 554.961788] type=1400 audit(1335191682.724:27): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/apt/sources.list.d/" pid=21956 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:44 maas-precise-server-amd64 kernel: [ 556.337334] type=1400 audit(1335191684.100:28): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/ethers" pid=21979 comm="cobblerd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0
Apr 23 10:58:19 maas-precise-server-amd64 kernel: [ 5571.725986] type=1400 audit(1335196699.488:29): apparmor="DENIED" operation="link" parent=1 profile="/usr/bin/cobblerd" name="/var/lib/tftpboot/images/memtest86+_multiboot.bin" pid=22403 comm="cobblerd" requested_mask="wcd" denied_mask="wcd" fsuid=0 ouid=0 target="/boot/memtest86+_multiboot.bin"
Apr 23 10:58:19 maas-precise-server-amd64 kernel: [ 5571.730405] type=1400 audit(1335196699.492:30): apparmor="DENIED" operation="link" parent=1 profile="/usr/bin/cobblerd" name="/var/lib/tftpboot/images/memtest86+.bin" pid=22403 comm="cobblerd" requested_mask="wcd" denied_mask="wcd" fsuid=0 ouid=0 target="/boot/memtest86+.bin"
Apr 23 10:58:19 maas-precise-server-amd64 kernel: [ 5571.851731] type=1400 audit(1335196699.612:31): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/dnsmasq.conf" pid=22403 comm="cobblerd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0
Apr 23 10:58:21 maas-precise-server-amd64 kernel: [ 5573.440222] type=1400 audit(1335196701.204:32): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/ethers" pid=22421 comm="cobblerd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0
Apr 23 10:58:22 maas-precise-server-amd64 kernel: [ 5575.058317] type=1400 audit(1335196702.820:33): apparmor="DENIED" operation="link" parent=1 profile="/usr/bin/cobblerd" name="/var/lib/tftpboot/images/memtest86+_multiboot.bin" pid=22434 comm="cobblerd" requested_mask="wcd" denied_mask="wcd" fsuid=0 ouid=0 target="/boot/memtest86+_multiboot.bin"
Apr 23 10:58:22 maas-precise-server-amd64 kernel: [ 5575.059203] type=1400 audit(1335196702.820:34): apparmor="DENIED" operation="link" parent=1 profile="/usr/bin/cobblerd" name="/var/lib/tftpboot/images/memtest86+.bin" pid=22434 comm="cobblerd" requested_mask="wcd" denied_mask="wcd" fsuid=0 ouid=0 target="/boot/memtest86+.bin"
Apr 23 10:58:22 maas-precise-server-amd64 kernel: [ 5575.161768] type=1400 audit(1335196702.924:35): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/dnsmasq.conf" pid=22434 comm="cobblerd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here is the failure output from maas-import-isos.

Changed in maas-provision (Ubuntu):
importance: Undecided → High
Changed in maas-provision (Ubuntu):
status: New → In Progress
assignee: nobody → Andres Rodriguez (andreserl)
Changed in maas-provision (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maas-provision - 2.2.2-0ubuntu4

---------------
maas-provision (2.2.2-0ubuntu4) precise-proposed; urgency=low

  * Update apparmor profile, fixes denials when running
    maas-import-isos (LP: #987374)
  * 72_ubuntu_copy_boot_nohardlink.patch: Do not hardlink files from /boot/
    only copy them as it might impose a security vulnerability.
 -- Andres Rodriguez <email address hidden> Mon, 23 Apr 2012 16:41:10 -0400

Changed in maas-provision (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.